GraphicsMagick / Bugs / #479 Memory exhausted in xpm.c

#479 Memory exhausted in xpm.c

Milestone: v1.0_(example)

Status: closed-works-for-me

Owner: Bob Friesenhahn

Labels: None

Priority: 5

Updated: 2017-09-30

Created: 2017-09-25

Creator: BlueKiller

Private: No

Here is the critical code:

for (p=xpm_buffer; *p != '\0'; p++)
  {
    if (*p != '"')
      continue;
    count=sscanf(p+1,"%lu %lu %u %lu",&image->columns,&image->rows,
      &image->colors,&width);//279 
    if (count == 4)
      {
        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                              "Columns: %lu, Rows: %lu, Colors: %u, Char Per Pixel: %lu",
                              image->columns, image->rows, image->colors, width);
        break;
      }
  }
 ….
  /*
    Initialize image structure.
  */
  keys=MagickAllocateArray(char **,image->colors,sizeof(char *));//336 
  if (keys == (char **) NULL)
    ThrowXPMReaderException(ResourceLimitError,MemoryAllocationFailed,image);
…

Line 279 set the value of image->colors via reading from file data, line 336 use image->colors to allocate memory. So the size of allocation can be controlled by a crafted image. If it is set to be a big number, it will cause a lot of memory usage. This may cause memory exhausted

Credit: ADLab of Venustech

Discussion

Bob Friesenhahn - 2017-09-30

status: open --> closed-works-for-me

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 2017-09-30

Version 1.3.26 already sanitizes image->colors by reporting an error if image->colors > MaxColormapSize so this problem no longer exists.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Memory exhausted in xpm.c

Swiss army knife of image processing

Group

Searches

Help

#479 Memory exhausted in xpm.c

Discussion